Despite what Russ Cooper posted on NTBugtraq two years ago in the wake
of Blaster, that is NOT true (and wasn't true then). While Blaster,
Sasser, and the recent MS05-039 exploits rely on a buffer overflow for a
remote infection mechanism, they all use the vulnerability to download
an infectuous executable to the target system, and av absolutely can
prevent the infection if sigs are in place. These are different from
pure memory worms like Code Red and SQL Slammer.
Also, McAfee for a while has had defenses in place for pure memory
worms, and I believe several other vendors have it in place now.
Regards,
Gaby
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia (at) UTMB (dot) EDU [email concealed]]
Sent: Tuesday, August 16, 2005 11:16 PM
To: womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: wintbp.exe
CA is calling it Win32.Peabot.A with a "Medium" alert, McAfee is calling
it "W32/IRCbot.worm!MS05-039", Symantec has the Zotob.e, etcetera.
Patch the systems, this is an MS05-039 exploit. The various antivirus
companies can only provide cleanup after the worm hits unless they have
buffer overflow protection like VSE8.0i provides (ok a plug but I like
it).
Hope this helps.
Johnny
-----Original Message-----
From: William O'Malley [mailto:wo (at) andrew.cmu (dot) edu [email concealed]]
Sent: Tue 8/16/2005 8:51 PM
To: Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Cc:
Subject: Re: wintbp.exe
__________________
This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.
of Blaster, that is NOT true (and wasn't true then). While Blaster,
Sasser, and the recent MS05-039 exploits rely on a buffer overflow for a
remote infection mechanism, they all use the vulnerability to download
an infectuous executable to the target system, and av absolutely can
prevent the infection if sigs are in place. These are different from
pure memory worms like Code Red and SQL Slammer.
Also, McAfee for a while has had defenses in place for pure memory
worms, and I believe several other vendors have it in place now.
Regards,
Gaby
-----Original Message-----
From: Joswiak, Johnny G. [mailto:jgjoswia (at) UTMB (dot) EDU [email concealed]]
Sent: Tuesday, August 16, 2005 11:16 PM
To: womalley (at) cmu (dot) edu [email concealed]; Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: wintbp.exe
CA is calling it Win32.Peabot.A with a "Medium" alert, McAfee is calling
it "W32/IRCbot.worm!MS05-039", Symantec has the Zotob.e, etcetera.
Patch the systems, this is an MS05-039 exploit. The various antivirus
companies can only provide cleanup after the worm hits unless they have
buffer overflow protection like VSE8.0i provides (ok a plug but I like
it).
Hope this helps.
Johnny
-----Original Message-----
From: William O'Malley [mailto:wo (at) andrew.cmu (dot) edu [email concealed]]
Sent: Tue 8/16/2005 8:51 PM
To: Schlegel, Justin; focus-virus (at) securityfocus (dot) com [email concealed]
Cc:
Subject: Re: wintbp.exe
__________________
This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.
[ reply ]